W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC to publish FPWD of CSP Pinning; deadline Feb. 9th

From: Deian Stefan <deian@cs.stanford.edu>
Date: Mon, 16 Feb 2015 12:02:17 -0800
To: Mike West <mkwst@google.com>
Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>, Brian Smith <brian@briansmith.org>
Message-ID: <87pp99r5fa.fsf@cs.stanford.edu>

Great!

Mike West <mkwst@google.com> writes:
> Because I don't understand why ServiceWorkers have introduced
> path-based granularity. As I noted in that thread (and as Brian
> agreed), the origin makes sense as a security boundary. Pretending
> that such a boundary exists for paths seems problematic.

I suppose the one case where the path-based approach helps is the
university scenario, where e.g. stanford.edu/~evil sets an
overly-restricting CSP that ends up breaking *.stanford.edu.  The right
thing here is for the admin to disallow setting such headers, but I can
see that becoming a problem. (But, I guess ~evil can already mess with
cookies, etc.)

In any case, I agree with sticking to the origin as the security
boundary, I was more curious to see if you got any info from Alex or
others on the path stuff off-list.

Deian
Received on Monday, 16 February 2015 20:02:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC